Revision tags: v4.17.1, v4.17, v4.16 |
|
#
e9a441b6 |
| 29-Mar-2018 |
Kirill Tkhai <ktkhai@virtuozzo.com> |
xfrm: Register xfrm_dev_notifier in appropriate place
Currently, driver registers it from pernet_operations::init method, and this breaks modularity, because initialization of net namespace and netd
xfrm: Register xfrm_dev_notifier in appropriate place
Currently, driver registers it from pernet_operations::init method, and this breaks modularity, because initialization of net namespace and netdevice notifiers are orthogonal actions. We don't have per-namespace netdevice notifiers; all of them are global for all devices in all namespaces.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
779b7931 |
| 01-Mar-2018 |
Daniel Axtens <dja@axtens.net> |
net: rename skb_gso_validate_mtu -> skb_gso_validate_network_len
If you take a GSO skb, and split it into packets, will the network length (L3 headers + L4 headers + payload) of those packets be sma
net: rename skb_gso_validate_mtu -> skb_gso_validate_network_len
If you take a GSO skb, and split it into packets, will the network length (L3 headers + L4 headers + payload) of those packets be small enough to fit within a given MTU?
skb_gso_validate_mtu gives you the answer to that question. However, we recently added to add a way to validate the MAC length of a split GSO skb (L2+L3+L4+payload), and the names get confusing, so rename skb_gso_validate_mtu to skb_gso_validate_network_len
Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v4.15 |
|
#
aa5dd6fa |
| 18-Jan-2018 |
Aviad Yehezkel <aviadye@mellanox.com> |
xfrm: fix error flow in case of add state fails
If add state fails in case of device offload, netdev refcount will be negative since gc task is attempting to dev_free this state. This is fixed by pu
xfrm: fix error flow in case of add state fails
If add state fails in case of device offload, netdev refcount will be negative since gc task is attempting to dev_free this state. This is fixed by putting NULL in state dev field.
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com> Signed-off-by: Boris Pismeny <borisp@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
50bd870a |
| 14-Jan-2018 |
Yossef Efraim <yossefe@mellanox.com> |
xfrm: Add ESN support for IPSec HW offload
This patch adds ESN support to IPsec device offload. Adding new xfrm device operation to synchronize device ESN.
Signed-off-by: Yossef Efraim <yossefe@mel
xfrm: Add ESN support for IPSec HW offload
This patch adds ESN support to IPsec device offload. Adding new xfrm device operation to synchronize device ESN.
Signed-off-by: Yossef Efraim <yossefe@mellanox.com> Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
92a23206 |
| 19-Dec-2017 |
Shannon Nelson <shannon.nelson@oracle.com> |
xfrm: check for xdo_dev_ops add and delete
This adds a check for the required add and delete functions up front at registration time to be sure both are defined.
Since both the features check and t
xfrm: check for xdo_dev_ops add and delete
This adds a check for the required add and delete functions up front at registration time to be sure both are defined.
Since both the features check and the registration check are looking at the same things, break out the check for both to call.
Lastly, for some reason the feature check was setting xfrmdev_ops to NULL if the NETIF_F_HW_ESP bit was missing, which would probably surprise the driver later if the driver turned its NETIF_F_HW_ESP bit back on. We shouldn't be messing with the driver's callback list, so we stop doing that with this patch.
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
95bff4b5 |
| 20-Dec-2017 |
Steffen Klassert <steffen.klassert@secunet.com> |
xfrm: Allow to use the layer2 IPsec GSO codepath for software crypto.
We now have support for asynchronous crypto operations in the layer 2 TX path. This was the missing part to allow the GSO codepa
xfrm: Allow to use the layer2 IPsec GSO codepath for software crypto.
We now have support for asynchronous crypto operations in the layer 2 TX path. This was the missing part to allow the GSO codepath for software crypto, so allow this codepath now.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
f53c7239 |
| 20-Dec-2017 |
Steffen Klassert <steffen.klassert@secunet.com> |
net: Add asynchronous callbacks for xfrm on layer 2.
This patch implements asynchronous crypto callbacks and a backlog handler that can be used when IPsec is done at layer 2 in the TX path. It also
net: Add asynchronous callbacks for xfrm on layer 2.
This patch implements asynchronous crypto callbacks and a backlog handler that can be used when IPsec is done at layer 2 in the TX path. It also extends the skb validate functions so that we can update the driver transmit return codes based on async crypto operation or to indicate that we queued the packet in a backlog queue.
Joint work with: Aviv Heller <avivh@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
3dca3f38 |
| 20-Dec-2017 |
Steffen Klassert <steffen.klassert@secunet.com> |
xfrm: Separate ESP handling from segmentation for GRO packets.
We change the ESP GSO handlers to only segment the packets. The ESP handling and encryption is defered to validate_xmit_xfrm() where th
xfrm: Separate ESP handling from segmentation for GRO packets.
We change the ESP GSO handlers to only segment the packets. The ESP handling and encryption is defered to validate_xmit_xfrm() where this is done for non GRO packets too. This makes the code more robust and prepares for asynchronous crypto handling.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
43024b9c |
| 28-Nov-2017 |
Yossef Efraim <yossefe@mellanox.com> |
xfrm: Fix xfrm_dev_state_add to fail for unsupported HW SA option
xfrm_dev_state_add function returns success for unsupported HW SA options. Resulting the calling function to create SW SA without co
xfrm: Fix xfrm_dev_state_add to fail for unsupported HW SA option
xfrm_dev_state_add function returns success for unsupported HW SA options. Resulting the calling function to create SW SA without corrlating HW SA. Desipte IPSec device offloading option was chosen. These not supported HW SA options are hard coded within xfrm_dev_state_add function. SW backward compatibility will break if we add any of these option as old HW will fail with new SW.
This patch changes the behaviour to return -EINVAL in case unsupported option is chosen. Notifying user application regarding failure and not breaking backward compatibility for newly added HW SA options.
Signed-off-by: Yossef Efraim <yossefe@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
0f6c480f |
| 28-Nov-2017 |
David Miller <davem@davemloft.net> |
xfrm: Move dst->path into struct xfrm_dst
The first member of an IPSEC route bundle chain sets it's dst->path to the underlying ipv4/ipv6 route that carries the bundle.
Stated another way, if one w
xfrm: Move dst->path into struct xfrm_dst
The first member of an IPSEC route bundle chain sets it's dst->path to the underlying ipv4/ipv6 route that carries the bundle.
Stated another way, if one were to follow the xfrm_dst->child chain of the bundle, the final non-NULL pointer would be the path and point to either an ipv4 or an ipv6 route.
This is largely used to make sure that PMTU events propagate down to the correct ipv4 or ipv6 route.
When we don't have the top of an IPSEC bundle 'dst->path == dst'.
Move it down into xfrm_dst and key off of dst->xfrm.
Signed-off-by: David S. Miller <davem@davemloft.net> Reviewed-by: Eric Dumazet <edumazet@google.com>
show more ...
|
#
b6ca8bd5 |
| 28-Nov-2017 |
David Miller <davem@davemloft.net> |
xfrm: Move child route linkage into xfrm_dst.
XFRM bundle child chains look like this:
xdst1 --> xdst2 --> xdst3 --> path_dst
All of xdstN are xfrm_dst objects and xdst->u.dst.xfrm is non-NULL. T
xfrm: Move child route linkage into xfrm_dst.
XFRM bundle child chains look like this:
xdst1 --> xdst2 --> xdst3 --> path_dst
All of xdstN are xfrm_dst objects and xdst->u.dst.xfrm is non-NULL. The final child pointer in the chain, here called 'path_dst', is some other kind of route such as an ipv4 or ipv6 one.
The xfrm output path pops routes, one at a time, via the child pointer, until we hit one which has a dst->xfrm pointer which is NULL.
We can easily preserve the above mechanisms with child sitting only in the xfrm_dst structure. All children in the chain before we break out of the xfrm_output() loop have dst->xfrm non-NULL and are therefore xfrm_dst objects.
Since we break out of the loop when we find dst->xfrm NULL, we will not try to dereference 'dst' as if it were an xfrm_dst.
Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v4.13.16, v4.14, v4.13.5 |
|
#
67a63387 |
| 04-Sep-2017 |
Steffen Klassert <steffen.klassert@secunet.com> |
xfrm: Fix negative device refcount on offload failure.
Reset the offload device at the xfrm_state if the device was not able to offload the state. Otherwise we drop the device refcount twice.
Fixes
xfrm: Fix negative device refcount on offload failure.
Reset the offload device at the xfrm_state if the device was not able to offload the state. Otherwise we drop the device refcount twice.
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") Reported-by: Shannon Nelson <shannon.nelson@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
Revision tags: v4.13 |
|
#
077fbac4 |
| 10-Aug-2017 |
Lorenzo Colitti <lorenzo@google.com> |
net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for routing lookups to use marks in order for packets to be routed correctly. An example of such
net: xfrm: support setting an output mark.
On systems that use mark-based routing it may be necessary for routing lookups to use marks in order for packets to be routed correctly. An example of such a system is Android, which uses socket marks to route packets via different networks.
Currently, routing lookups in tunnel mode always use a mark of zero, making routing incorrect on such systems.
This patch adds a new output_mark element to the xfrm state and a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output mark differs from the existing xfrm mark in two ways:
1. The xfrm mark is used to match xfrm policies and states, while the xfrm output mark is used to set the mark (and influence the routing) of the packets emitted by those states. 2. The existing mark is constrained to be a subset of the bits of the originating socket or transformed packet, but the output mark is arbitrary and depends only on the state.
The use of a separate mark provides additional flexibility. For example:
- A packet subject to two transforms (e.g., transport mode inside tunnel mode) can have two different output marks applied to it, one for the transport mode SA and one for the tunnel mode SA. - On a system where socket marks determine routing, the packets emitted by an IPsec tunnel can be routed based on a mark that is determined by the tunnel, not by the marks of the unencrypted packets. - Support for setting the output marks can be introduced without breaking any existing setups that employ both mark-based routing and xfrm tunnel mode. Simply changing the code to use the xfrm mark for routing output packets could xfrm mark could change behaviour in a way that breaks these setups.
If the output mark is unspecified or set to zero, the mark is not set or changed.
Tested: make allyesconfig; make -j64 Tested: https://android-review.googlesource.com/452776 Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
ffdb5211 |
| 01-Aug-2017 |
Ilan Tayari <ilant@mellanox.com> |
xfrm: Auto-load xfrm offload modules
IPSec crypto offload depends on the protocol-specific offload module (such as esp_offload.ko).
When the user installs an SA with crypto-offload, load the offloa
xfrm: Auto-load xfrm offload modules
IPSec crypto offload depends on the protocol-specific offload module (such as esp_offload.ko).
When the user installs an SA with crypto-offload, load the offload module automatically, in the same way that the protocol module is loaded (such as esp.ko)
Signed-off-by: Ilan Tayari <ilant@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
ec30d78c |
| 17-Jul-2017 |
Florian Westphal <fw@strlen.de> |
xfrm: add xdst pcpu cache
retain last used xfrm_dst in a pcpu cache. On next request, reuse this dst if the policies are the same.
The cache will not help with strict RR workloads as there is no hi
xfrm: add xdst pcpu cache
retain last used xfrm_dst in a pcpu cache. On next request, reuse this dst if the policies are the same.
The cache will not help with strict RR workloads as there is no hit.
The cache packet-path part is reasonably small, the notifier part is needed so we do not add long hangs when a device is dismantled but some pcpu xdst still holds a reference, there are also calls to the flush operation when userspace deletes SAs so modules can be removed (there is no hit.
We need to run the dst_release on the correct cpu to avoid races with packet path. This is done by adding a work_struct for each cpu and then doing the actual test/release on each affected cpu via schedule_work_on().
Test results using 4 network namespaces and null encryption:
ns1 ns2 -> ns3 -> ns4 netperf -> xfrm/null enc -> xfrm/null dec -> netserver
what TCP_STREAM UDP_STREAM UDP_RR Flow cache: 14644.61 294.35 327231.64 No flow cache: 14349.81 242.64 202301.72 Pcpu cache: 14629.70 292.21 205595.22
UDP tests used 64byte packets, tests ran for one minute each, value is average over ten iterations.
'Flow cache' is 'net-next', 'No flow cache' is net-next plus this series but without this patch.
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
#
09c75704 |
| 17-Jul-2017 |
Florian Westphal <fw@strlen.de> |
xfrm: remove flow cache
After rcu conversions performance degradation in forward tests isn't that noticeable anymore.
See next patch for some numbers.
A followup patcg could then also remove genid
xfrm: remove flow cache
After rcu conversions performance degradation in forward tests isn't that noticeable anymore.
See next patch for some numbers.
A followup patcg could then also remove genid from the policies as we do not cache bundles anymore.
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v4.12 |
|
#
b81f884a |
| 01-Jun-2017 |
Hangbin Liu <liuhangbin@gmail.com> |
xfrm: fix xfrm_dev_event() missing when compile without CONFIG_XFRM_OFFLOAD
In commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") we make xfrm_device.o only compiled when enable opti
xfrm: fix xfrm_dev_event() missing when compile without CONFIG_XFRM_OFFLOAD
In commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") we make xfrm_device.o only compiled when enable option CONFIG_XFRM_OFFLOAD. But this will make xfrm_dev_event() missing if we only enable default XFRM options.
Then if we set down and unregister an interface with IPsec on it. there will no xfrm_garbage_collect(), which will cause dev usage count hold and get error like:
unregister_netdevice: waiting for <dev> to become free. Usage count = 4
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
Revision tags: v4.10.17 |
|
#
24d472e4 |
| 18-May-2017 |
Wei Yongjun <weiyongjun1@huawei.com> |
xfrm: Make function xfrm_dev_register static
Fixes the following sparse warning:
net/xfrm/xfrm_device.c:141:5: warning: symbol 'xfrm_dev_register' was not declared. Should it be static?
Signed-of
xfrm: Make function xfrm_dev_register static
Fixes the following sparse warning:
net/xfrm/xfrm_device.c:141:5: warning: symbol 'xfrm_dev_register' was not declared. Should it be static?
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
Revision tags: v4.10.16 |
|
#
2c1497bb |
| 08-May-2017 |
Ilan Tayari <ilant@mellanox.com> |
xfrm: Fix NETDEV_DOWN with IPSec offload
Upon NETDEV_DOWN event, all xfrm_state objects which are bound to the device are flushed.
The condition for this is wrong, though, testing dev->hw_features
xfrm: Fix NETDEV_DOWN with IPSec offload
Upon NETDEV_DOWN event, all xfrm_state objects which are bound to the device are flushed.
The condition for this is wrong, though, testing dev->hw_features instead of dev->features. If a device has non-user-modifiable NETIF_F_HW_ESP, then its xfrm_state objects are not flushed, causing a crash later on after the device is deleted.
Check dev->features instead of dev->hw_features.
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") Signed-off-by: Ilan Tayari <ilant@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
Revision tags: v4.10.15, v4.10.14, v4.10.13, v4.10.12, v4.10.11 |
|
#
f6e27114 |
| 14-Apr-2017 |
Steffen Klassert <steffen.klassert@secunet.com> |
net: Add a xfrm validate function to validate_xmit_skb
When we do IPsec offloading, we need a fallback for packets that were targeted to be IPsec offloaded but rerouted to a device that does not sup
net: Add a xfrm validate function to validate_xmit_skb
When we do IPsec offloading, we need a fallback for packets that were targeted to be IPsec offloaded but rerouted to a device that does not support IPsec offload. For that we add a function that checks the offloading features of the sending device and and flags the requirement of a fallback before it calls the IPsec output function. The IPsec output function adds the IPsec trailer and does encryption if needed.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
d77e38e6 |
| 14-Apr-2017 |
Steffen Klassert <steffen.klassert@secunet.com> |
xfrm: Add an IPsec hardware offloading API
This patch adds all the bits that are needed to do IPsec hardware offload for IPsec states and ESP packets. We add xfrmdev_ops to the net_device. xfrmdev_o
xfrm: Add an IPsec hardware offloading API
This patch adds all the bits that are needed to do IPsec hardware offload for IPsec states and ESP packets. We add xfrmdev_ops to the net_device. xfrmdev_ops has function pointers that are needed to manage the xfrm states in the hardware and to do a per packet offloading decision.
Joint work with: Ilan Tayari <ilant@mellanox.com> Guy Shapiro <guysh@mellanox.com> Yossi Kuperman <yossiku@mellanox.com>
Signed-off-by: Guy Shapiro <guysh@mellanox.com> Signed-off-by: Ilan Tayari <ilant@mellanox.com> Signed-off-by: Yossi Kuperman <yossiku@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
show more ...
|
#
21f42cc9 |
| 14-Apr-2017 |
Steffen Klassert <steffen.klassert@secunet.com> |
xfrm: Move device notifications to a sepatate file
This is needed for the upcomming IPsec device offloading.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
#
78e65875 |
| 21-Jun-2021 |
Ayush Sawal <ayush.sawal@chelsio.com> |
xfrm: Fix xfrm offload fallback fail case [ Upstream commit dd72fadf2186fc8a6018f97fe72f4d5ca05df440 ] In case of xfrm offload, if xdo_dev_state_add() of driver returns -EOPNOTS
xfrm: Fix xfrm offload fallback fail case [ Upstream commit dd72fadf2186fc8a6018f97fe72f4d5ca05df440 ] In case of xfrm offload, if xdo_dev_state_add() of driver returns -EOPNOTSUPP, xfrm offload fallback is failed. In xfrm state_add() both xso->dev and xso->real_dev are initialized to dev and when err(-EOPNOTSUPP) is returned only xso->dev is set to null. So in this scenario the condition in func validate_xmit_xfrm(), if ((x->xso.dev != dev) && (x->xso.real_dev == dev)) return skb; returns true, due to which skb is returned without calling esp_xmit() below which has fallback code. Hence the CRYPTO_FALLBACK is failing. So fixing this with by keeping x->xso.real_dev as NULL when err is returned in func xfrm_dev_state_add(). Fixes: bdfd2d1fa79a ("bonding/xfrm: use real_dev instead of slave_dev") Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
show more ...
|
#
58f8f107 |
| 26-Mar-2021 |
Steffen Klassert <steffen.klassert@secunet.com> |
xfrm: Provide private skb extensions for segmented and hw offloaded ESP packets [ Upstream commit c7dbf4c08868d9db89b8bfe8f8245ca61b01ed2f ] Commit 94579ac3f6d0 ("xfrm: Fix double E
xfrm: Provide private skb extensions for segmented and hw offloaded ESP packets [ Upstream commit c7dbf4c08868d9db89b8bfe8f8245ca61b01ed2f ] Commit 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec crypto offload.") added a XFRM_XMIT flag to avoid duplicate ESP trailer insertion on HW offload. This flag is set on the secpath that is shared amongst segments. This lead to a situation where some segments are not transformed correctly when segmentation happens at layer 3. Fix this by using private skb extensions for segmented and hw offloaded ESP packets. Fixes: 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec crypto offload.") Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
show more ...
|
#
7bed1455 |
| 25-Jun-2020 |
David S. Miller <davem@davemloft.net> |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Minor overlapping changes in xfrm_device.c, between the double ESP trailing bug fix setting the XFRM_INIT flag and the chan
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Minor overlapping changes in xfrm_device.c, between the double ESP trailing bug fix setting the XFRM_INIT flag and the changes in net-next preparing for bonding encryption support. Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|